A few scripts I have written to parse various Windows Background Intelligent Transfer Service (BITS) artefacts.
- Parses BITS jobs from QMGR files.
- QMGR files are named qmgr0.dat or qmgr1.dat and located in the folder %ALLUSERSPROFILE%\Microsoft\Network\Downloader.
- Capable to run in live mode or against precollected files.
- Initial Python parser used as inspiration by ANSSI here - https://github.com/ANSSI-FR/bits_parser
- Invoke-BitsParser currently does not carve non complete jobs.
- Currently not supported on Windows 10+
- carves BITS file transfer details from QMGR files.
- QMGR files are named qmgr0.dat or qmgr1.dat and located in the folder %ALLUSERSPROFILE%\Microsoft\Network\Downloader.
- Finding XferHeaders, Invoke-BitsTransfer then searches for valid paths.
- Run to carve all File transfer information - Source and Destination. Then look for unusual entries.
- Currently not supported on Windows 10+
- Extracts all BITS transfer URLs from Windows BITS Event log.
- Microsoft-Windows-Bits-Client/Operational Event ID 59.
- Whitelist of commonly used domains, please add new domains.
- The goal of this script is to detect anomolous sources for BITs transfers that can lead to additional investigation.
- Use -All switch to list all URL sources and do not run Whitleist check.
- Supported accross all Windows versions